Control Access to the Salesforce Mobile App
- Access the apps that connect to your Salesforce organization.
- Set OAuth policies for the Salesforce mobile app.
- Require a PIN code for mobile users.
- Configure the mobile session timeout.
- Edit mobile compliance policies.
In the previous unit, you learned that the Salesforce app is considered a connected app because it’s an external application that communicates with Salesforce through APIs. You can manage all of your organization’s connected apps—including the Salesforce app—from Salesforce Setup.
- From Setup, enter Connected Apps in the Quick Find box.
- Select Connected Apps.
Wait a minute...why is the list empty? If you’ve never installed the Salesforce mobile app or created any connected apps in your org, then there aren’t any apps to display in the list. Before you can edit the security and compliance policies for the Salesforce app, you first need to connect it to your org.
If the Salesforce app shows up in your org’s list, you can skip the next step.
It’s easy to connect the Salesforce app to your organization—all you have to do is install it on a mobile phone or tablet. The Salesforce mobile app is available as a download from Google Play or the App Store. If you run into any issues logging into your org from your device, check out the Salesforce Mobile App Basics module for more information about getting started with the app.
After you successfully install the Salesforce app, go back to the Connected Apps page in Setup. You should see entries for all of the Salesforce mobile apps. (Be patient. Sometimes it takes a few minutes for the list to update.)
On the Connected Apps page, you probably noticed that there are entries for both Android and iOS. That’s because they’re two separate apps, which gives you the ability to manage them differently.
As you learned in the previous unit, you can control the security and compliance settings for your organization’s connected apps, and those settings are called policies. To view the policies for the Salesforce mobile app, simply click Salesforce for Android or Salesforce for iOS in the list of connected apps.
If this is your first time seeing the connected app policies, you are probably feeling a little overwhelmed. Thankfully, not all of the settings apply to Salesforce app administration. Some of the options are used primarily by developers who create custom mobile apps, so we aren’t covering those here.
To configure the security and compliance policies for the Salesforce app, we edit the following sections of the Connected App Detail page:
- OAuth Policies
- Session Policies
- Mobile Integration
- Custom Attributes
Ready to get started? Then just click Edit Policies on the detail page. Or from the list of connected apps, click Edit next to the name of the app you want to modify.
The OAuth Policies section gives you control over how the Salesforce app connects and who’s allowed to use it. In the OAuth Policies section, you can:
- Specify which users have access to the Salesforce app.
- Relax or enforce your organization’s IP restrictions for mobile users.
- Determine how long a mobile user’s token is valid before requiring them to reenter their credentials.
Before we edit the OAuth policies, let’s address a potential concern. After reading the list above, you might be wondering why you would relax your organization’s IP restrictions for the Salesforce app.
Think about how mobile users are impacted by IP login restrictions. Those restrictions require users to log in to Salesforce from designated IP addresses—typically your corporate network or VPN. But mobile users often aren’t on your corporate network, which means they need to connect to VPN from their device every time they access the Salesforce app.
That can be a barrier to mobile adoption, so some organizations relax IP restrictions for mobile users. For example, you can specify that mobile users aren’t required to be on VPN as long as they provide a second factor of identification—for example, a verification code from a mobile authenticator app. You must balance your company’s security requirements with the need to provide a good mobile user experience.
You can edit the following OAuth policies for the Salesforce app.
- Permitted Users determines who can access the Salesforce app.
- All users may self-authorize—Anyone in your org can install the Salesforce app and log in. Users must approve the app the first time they access it.
- Admin-approved users are pre-authorized—Mobile access is limited to users with the appropriate profile or permission set. These users don’t have to approve the app before they can access it. You can preauthorize users by editing the Connected App Access list for the appropriate profiles or permission sets.
- IP Relaxation refers to IP restrictions for your users. You can either enforce or bypass
- Enforce IP restrictions—Salesforce app users are subject to the org’s IP restrictions, such as IP ranges set in the user’s profile.
- Enforce IP restrictions, but relax for refresh tokens—During initial login, Salesforce app users are subject to the org’s IP restrictions, such as IP ranges set in the user’s profile. However, these restrictions are relaxed when the app is using a refresh token to obtain a new access token.
- Relax IP restrictions for activated devices—Users accessing Salesforce from a verified browser or device bypass the org’s IP restrictions. If they access Salesforce from a new browser or device, they bypass IP restrictions after they successfully complete an identity verification.
- Relax IP restrictions—Users aren’t subject to any IP restrictions.
- Refresh Token Policy specifies how long the user’s token for the Salesforce app is valid.
When the token expires, users have to reenter their credentials to access the Salesforce app.
- Refresh token is valid until revoked—The token is used indefinitely, unless you revoke it.
- Immediately expire refresh token—The token is invalid immediately. The user can access the current session, but can’t obtain a new session without reentering credentials.
- Expire refresh token if not used for—The token expires if it isn’t used in the specified amount of time.
- Expire refresh token after—This setting expires the token after a fixed amount of time. For example, if the policy states 30 days, the token expires in a month even if the user is active in the Salesforce app on a daily basis.
When you initially set up your org, perhaps you configured a few session security settings, like a session timeout value. Using connected app policies, you can configure session settings that are specific to the Salesforce mobile app. In the Session Policies section, you have the following options:
Timeout Value controls how long a mobile session lasts.
- If you don’t set a value here, the Salesforce app uses the timeout value in the user’s profile.
- If the profile doesn’t specify a timeout value, the Salesforce app uses the timeout value in the org’s Session Settings.
- High assurance session required forces mobile users to log in to the Salesforce app using two-factor authentication. Two-factor authentication (2FA) enhances your org’s security by requiring a second level of authentication for every user login. When mobile users log in to the Salesforce app for the first time, they are prompted to set up an identity verification method if you haven’t already configured one for them.
You can add an extra layer of data protection by forcing mobile users to set up an app-specific PIN code for the Salesforce app so it locks after a period of inactivity. In the Mobile Integration section, use the following options to enforce a PIN code:
- Require PIN after specifies how much time can pass while the Salesforce app is idle before the app locks itself and requires the PIN. Allowable values are none (no locking), 1, 5, 10, and 30 minutes. This policy is only enforced if a corresponding PIN Length is configured.
- PIN Length sets the length of the identification number. The length can be from 4 to 8 digits.
This setting doesn’t invalidate a user’s session. When the app locks due to inactivity, this policy only requires that the user enter a PIN to continue using the current session.
If your company operates in a regulated industry, you have to comply with certain rules and standards. The Salesforce mobile app provides some settings that can help you meet those requirements. Using custom attributes for connected apps, you can:
- Disable the ability to copy and paste from Salesforce to other mobile apps.
- Prevent the ability to print from the Salesforce app.
- Require the use of a specific mobile email client for Salesforce.
- Disable file sharing from Salesforce to other mobile apps.
To set up the compliance policies:
- From Setup, enter Connected Apps in the Quick Find box.
- Select Connected Apps.
- Select the Android or iOS app.
- In the Custom Attributes related list, click New.
- Enter the key and value pair for the compliance policy you want to enforce. See the list of available attributes. Make sure you wrap the value in quotation marks.
- Click Save.
And that’s it—you’ve successfully set up the connected app policies for the Salesforce mobile app. We have one last batch of options to discuss, then we are done editing all the security settings. So let’s move on to the next unit!
- User Access and Security Policies for the Salesforce Downloadable Apps
- Edit a Connected App
- Restrict Where and When Users Can Log in to Salesforce
- Verify Your Identity
- Secure Your User’s Identity
- User Authentication
- Learn the Language of Identity
- Understand Security and Authentication
- Set Two-Factor Authentication Login Requirements
- Session Security
- Salesforce Connected App Attributes